IETF Logo Mail Archive

Re: [Acme] Wildcard certificate via http-01

Alan Doherty <ietf@alandoherty.net> Thu, 25 January 2018 00:04 UTC

Return-Path: <ietf@alandoherty.net>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 24AB312D854 for <acme@ietfa.amsl.com>; Wed, 24 Jan 2018 16:04:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.89
X-Spam-Level:
X-Spam-Status: No, score=-1.89 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_SPF_PERMERROR=0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r7wdYqSJNCP0 for <acme@ietfa.amsl.com>; Wed, 24 Jan 2018 16:04:34 -0800 (PST)
Received: from bigsvr.orionnetworks.ie (hosting.orionnetworks.ie [195.2.202.63]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0213E12D84F for <acme@ietf.org>; Wed, 24 Jan 2018 16:04:33 -0800 (PST)
Received: from host249.freudenhaus.alandoherty.net ([193.120.128.249]:4774 helo=alans-p4.alandoherty.net) by bigsvr.orionnetworks.ie with esmtpsa(TLSv1:DHE-RSA-AES256-SHA:256) (auth-as tel1) (nexus 1.3.4.80.1) (envelope-from <ietf@alandoherty.net>) id 1eeV1l-0007xd-Bq ; Thu, 25 Jan 2018 00:04:32 +0000
X-AD-RPFS-HEAD: for info on below codes http://www.alandoherty.net/mailsystem/mail-tagging/
X-AD-RPFS-GOOD-0: AV-SCAN-PASS SA-SCORE--1.6 SA-BAR-(-)
X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9
Date: Thu, 25 Jan 2018 00:04:22 +0000
To: Hugo Leisink <hugo@leisink.net>, acme@ietf.org
From: Alan Doherty <ietf@alandoherty.net>
In-Reply-To: <95fc4d5d-8f5f-7f5a-0e36-d1e4b45178b8@leisink.net>
References: <95fc4d5d-8f5f-7f5a-0e36-d1e4b45178b8@leisink.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Message-Id: <E1eeV1l-0007xd-Bq@bigsvr.orionnetworks.ie>
X-VIRUS: NONE {no virus found, This is no guarentee}
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/8wUIFPa2jt1nHs-aMTZRdXKAvZU>
Subject: Re: [Acme] Wildcard certificate via http-01
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Jan 2018 00:04:37 -0000

I would second this proposal
but as for all my domains where we need wildcard certs do not have wildcards in dns

like I instruct users to pop from username.pop3a.example.org smtp to username.smtps.example.org
or https api to api-key.api.example.com for other stuff

specifically so when username/api-key is deleted/revoked his dns fails and he stops bothering our servers (as he will inevitably never tell gmail or other webclient stop ;) 
so rather than have huge san certs we'd prefer *.pop3a.example.org on our tls certs
(we have a http listener for *.pop3a.example.org and *.smtps.example.org that redirects to our pop3 and smtp help page (that we could respond to acme challenges on easily)

that said I now see we could easily do

deleted.pop3a      A 127.0.0.1
deleted.smtps      A 127.0.0.1
*.pop3a            A our.rea.lip.add
*.smtps            A our.rea.lip.add
but then users could (thus would) setup random-typo.pop3a.example.org in their clients and we'd be none the wiser till we try and swat them years later as dead users ;)

but I guess much like DNS-01 we could add a temporary wildcard to dns for the time needed for the authentication to succeed then remove afterward (and during the period also see how many ex-users are still retrying ;) )

but dns-01 will likely still serve us better

but I still approve for those with actual wildcards in their actual zone files for whatever reason

but for those with wildcard in dns simply connecting to http://random.wildcarddomain.com/.well-known/acme-challenge/whatever
once for ownership
then dns lookup of random1.wildcarddomain.com random2.wildcarddomain.com random3.wildcarddomain.com
to verify same ip(s) returned should prove the wildcard exists
if ips differ only then should it be necessary to follow up with http gets (say its got dns loadbalancers or summit)
 http://random1-3.wildcarddomain.com/.well-known/acme-challenge/whatever


At 21:42 24/01/2018  Wednesday, Hugo Leisink wrote:
>Hi,
>
>While implementing ACMEv2 for Let's Encrypt, I noticed that wildcard
>certificates can only be obtained via dns-01. Because it's not possible
>for me to do that automatically, I proposed them a way to do it via
>http-01. After they said that 'it might work', they told me to contact
>you about this.
>
>My idea is that when a client requests a wildcard certificate
>(*.domain.tld), the CA server offers a challenge and requests that
>challenge via HTTP while using a random hostname (<long random
>string>.domain.tld). Because only a webserver with a website configured
>for *.domain.tld and with a properly configured DNS can respond to this
>challenge, it's enough proof that the request for a wildcard certificate
>is valid. Perhaps the CA server can do multiple requests with a new
>randomly chosen hostname for more proof. After all, they will all end up
>at the same website.
>
>The discussion about this at the Let's Encrypt forum can be found here:
>https://community.letsencrypt.org/t/wildcard-certificates-via-http-01/51223
>
>I really like to hear your thoughts about this.
>
>Kind regards,
>Hugo Leisink
>
>
>_______________________________________________
>Acme mailing list
>Acme@ietf.org
>https://www.ietf.org/mailman/listinfo/acme

v2.23.0 | Report a Bug | By Email